From 09001b2f4654f39640db9b4307ea86ea030b4d14 Mon Sep 17 00:00:00 2001
From: Leandro Damascena <lcdama@amazon.pt>
Date: Mon, 13 Jan 2025 16:51:06 +0000
Subject: [PATCH] chore(ci): change token permissions / update aws-credentials
 action (#5861)

* Improving security

* Improving security
---
 .github/workflows/bootstrap_region.yml              | 13 +++++++------
 .github/workflows/layer_govcloud.yml                |  6 +++++-
 .github/workflows/publish_v3_layer.yml              |  4 ++--
 .../workflows/reusable_deploy_v3_layer_stack.yml    |  5 +++--
 .github/workflows/reusable_deploy_v3_sar.yml        |  5 +++--
 .github/workflows/reusable_publish_docs.yml         |  7 ++++---
 .github/workflows/run-e2e-tests.yml                 |  5 +++--
 .github/workflows/update_ssm.yml                    | 10 +++++-----
 8 files changed, 32 insertions(+), 23 deletions(-)

diff --git a/.github/workflows/bootstrap_region.yml b/.github/workflows/bootstrap_region.yml
index 8d662903c11..3cc96d3113f 100644
--- a/.github/workflows/bootstrap_region.yml
+++ b/.github/workflows/bootstrap_region.yml
@@ -1,3 +1,5 @@
+name: Region Bootstrap
+
 # bootstraps new regions
 #
 # PURPOSE
@@ -27,7 +29,6 @@ on:
         required: true
         description: AWS region to bootstrap (i.e. eu-west-1)
 
-name: Region Bootstrap
 run-name: Region Bootstrap ${{ inputs.region }}
 
 permissions:
@@ -38,13 +39,13 @@ jobs:
     name: Install CDK
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
       id-token: write
     environment: layer-${{ inputs.environment }}
     steps:
       - id: credentials
         name: AWS Credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: ${{ inputs.region }}
           role-to-assume: ${{ secrets.REGION_IAM_ROLE }}
@@ -69,7 +70,7 @@ jobs:
     name: Copy Layers
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
       id-token: write
     strategy:
       matrix:
@@ -90,7 +91,7 @@ jobs:
     steps:
       - id: credentials
         name: AWS Credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: us-east-1
           role-to-assume: ${{ secrets.REGION_IAM_ROLE }}
@@ -106,4 +107,4 @@ jobs:
         run: go install github.com/aws-powertools/actions/layer-balancer/cmd/balance@latest
       - id: run-balance
         name: Run Balance
-        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role ${{ secrets.BALANCE_ROLE_ARN }} -layer-name ${{ matrix.layer }} -dry-run=false
\ No newline at end of file
+        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role ${{ secrets.BALANCE_ROLE_ARN }} -layer-name ${{ matrix.layer }} -dry-run=false
diff --git a/.github/workflows/layer_govcloud.yml b/.github/workflows/layer_govcloud.yml
index 0515c24c7bd..9d1be514a27 100644
--- a/.github/workflows/layer_govcloud.yml
+++ b/.github/workflows/layer_govcloud.yml
@@ -1,3 +1,5 @@
+name: Layer Deployment (GovCloud)
+
 # GovCloud Layer Publish
 # ---
 # This workflow publishes a specific layer version in an AWS account based on the environment input.
@@ -32,9 +34,11 @@ on:
         type: string
         required: true
 
-name: Layer Deployment (GovCloud)
 run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }}
 
+permissions:
+  contents: read
+
 jobs:
   download:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish_v3_layer.yml b/.github/workflows/publish_v3_layer.yml
index 6f537f6b9cb..55571500889 100644
--- a/.github/workflows/publish_v3_layer.yml
+++ b/.github/workflows/publish_v3_layer.yml
@@ -303,8 +303,8 @@ jobs:
     needs: [update_v3_layer_arn_docs, prepare_docs_alias]
     permissions:
       # lower privilege propagated from parent workflow (release.yml)
-      contents: write
-      pages: write
+      #contents: write
+      #pages: write
       pull-requests: none
       id-token: write
     secrets: inherit
diff --git a/.github/workflows/reusable_deploy_v3_layer_stack.yml b/.github/workflows/reusable_deploy_v3_layer_stack.yml
index a0153461101..28782ae7efd 100644
--- a/.github/workflows/reusable_deploy_v3_layer_stack.yml
+++ b/.github/workflows/reusable_deploy_v3_layer_stack.yml
@@ -154,11 +154,12 @@ jobs:
 
       - name: Install poetry
         run: pipx install git+https://github.com/python-poetry/poetry@68b88e5390720a3dd84f02940ec5200bfce39ac6 # v1.5.0
-      - name: aws credentials
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: ${{ matrix.region }}
           role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }}
+          mask-aws-account-id: true
       - name: Setup Node.js
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
diff --git a/.github/workflows/reusable_deploy_v3_sar.yml b/.github/workflows/reusable_deploy_v3_sar.yml
index 2f4c14e5486..b39096e46ca 100644
--- a/.github/workflows/reusable_deploy_v3_sar.yml
+++ b/.github/workflows/reusable_deploy_v3_sar.yml
@@ -86,11 +86,12 @@ jobs:
           artifact_name: ${{ inputs.source_code_artifact_name }}
 
 
-      - name: AWS credentials
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: ${{ env.AWS_REGION }}
           role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }}
+          mask-aws-account-id: true
 
       # NOTE
       # We connect to Layers account to log our intent to publish a SAR Layer
diff --git a/.github/workflows/reusable_publish_docs.yml b/.github/workflows/reusable_publish_docs.yml
index eb3fbde7f8c..ac5172c9891 100644
--- a/.github/workflows/reusable_publish_docs.yml
+++ b/.github/workflows/reusable_publish_docs.yml
@@ -40,9 +40,9 @@ jobs:
     runs-on: ubuntu-latest
     environment: "Docs"
     permissions:
-      contents: write  # push to gh-pages
+      contents: read  # push to gh-pages
       id-token: write  # trade JWT token for AWS credentials in AWS Docs account
-      pages: write     # uncomment if mike fails as we migrated to S3 hosting
+      #pages: write     # uncomment if mike fails as we migrated to S3 hosting
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
@@ -79,10 +79,11 @@ jobs:
           poetry run mike set-default --push latest
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: us-east-1
           role-to-assume: ${{ secrets.AWS_DOCS_ROLE_ARN }}
+          mask-aws-account-id: true
       - name: Copy API Docs
         run: |
           cp -r api site/
diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml
index 8a59d3a4634..42e1aacd311 100644
--- a/.github/workflows/run-e2e-tests.yml
+++ b/.github/workflows/run-e2e-tests.yml
@@ -70,11 +70,12 @@ jobs:
           npm ci
           npx cdk --version
       - name: Install dependencies
-        run: dev-quality-code
+        run: make dev-quality-code
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           role-to-assume: ${{ secrets.AWS_TEST_ROLE_ARN }}
           aws-region: ${{ env.AWS_DEFAULT_REGION }}
+          mask-aws-account-id: true
       - name: Test
         run: make e2e-test
diff --git a/.github/workflows/update_ssm.yml b/.github/workflows/update_ssm.yml
index e1e6c8c8202..7200cec529e 100644
--- a/.github/workflows/update_ssm.yml
+++ b/.github/workflows/update_ssm.yml
@@ -1,3 +1,6 @@
+name: SSM Parameters
+run-name: SSM Parameters - Python
+
 # SSM Parameters update
 #
 # PROCESS
@@ -38,9 +41,6 @@ on:
         type: string
         required: true
 
-name: SSM Parameters
-run-name: SSM Parameters - Python
-
 permissions:
   contents: read
 
@@ -59,14 +59,14 @@ jobs:
           ]
 
     permissions:
-      contents: write
+      contents: read
       id-token: write
     steps:
       - id: transform
         run: |
           echo 'CONVERTED_REGION=${{ matrix.region }}' | tr 'a-z\-' 'A-Z_' >> "$GITHUB_OUTPUT"
       - id: creds
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: ${{ matrix.region }}
           role-to-assume: ${{ secrets[format('{0}', steps.transform.outputs.CONVERTED_REGION)] }}